Privacy Policy
One-Time-Note (OTN) is designed to process as little personal data as possible. The content of your note is end-to-end encrypted — we can neither read it nor recover it.
1. Data Controller
Sascha „Ernie“ Ernst
SEE Service-Group
58089 Hagen, Germany
Email: contact@see-sg.de
2. What we process
2.1 When you visit the site (server logs)
Our web server processes technically necessary information sent by your browser. We keep this minimal:
- HTTP method, URL, response status code
- Time of the request
- HTTP Referrer (if sent by the browser; we set
Referrer-Policy: no-referrer)
IP addresses are not persistently stored. Where IPs appear in transient diagnostic logs, this serves solely to defend against attacks (e.g. DDoS protection, rate limiting) and the data is removed shortly after. Legal basis: Art. 6 (1) (f) GDPR (legitimate interest in operating and securing the service).
2.2 When you create a note
When you create a note we store, on our server, only:
- The encrypted content (ciphertext) — encryption happens in your browser using AES-256-GCM. The key never leaves your browser.
- The initialization vector (IV) — 12 random bytes, useless without the key.
- A SHA-256 hash of the key — used only to verify that the requester knows the correct key. The key cannot be reconstructed from the hash.
- A random unique ID for the link
- The destruction mode (one-time read or timed) and, where applicable, the expiry timestamp
- Optional: the sender email you voluntarily provided (unencrypted, displayed to the recipient)
Legal basis: Art. 6 (1) (b) GDPR (provision of the requested service) and Art. 6 (1) (a) GDPR (consent) for the optional sender email.
2.3 Retention period
- One-time read mode: immediately after the first successful retrieval.
- Timed mode: no later than the expiry you chose (5 minutes to 12 hours). A cleanup job removes expired records independently of access.
Deleted notes cannot be recovered.
3. What we do not do
- No accounts, no login, no user tracking.
- No cookies. No personalisation via local storage.
- No analytics, no tag manager, no third-party trackers.
- No ad networks, no profiling, no automated decision-making.
- No sharing of your data with third parties for commercial purposes.
4. Third parties & processors
The service runs on a VPS located in the European Union (Germany). The underlying infrastructure is provided by an EU-based hosting provider under a data processing agreement (Art. 28 GDPR).
Fonts and QR generation are served locally. We do not embed Google Fonts or other third-party CDNs.
5. Security
- Transport: TLS 1.2/1.3 with HSTS.
- Strict Content-Security-Policy, no external scripts.
- Content encryption: AES-256-GCM, key kept browser-only (URL fragment).
- Rate limiting against abuse and brute force.
- Search-engine indexing of note pages is disabled (
X-Robots-Tag: noindex).
6. Your rights
Under the GDPR you have the right to:
- Access (Art. 15)
- Rectification (Art. 16)
- Erasure (Art. 17)
- Restriction of processing (Art. 18)
- Data portability (Art. 20)
- Object (Art. 21)
- Withdraw consent with future effect (Art. 7 (3))
Send requests to contact@see-sg.de.
7. Right to lodge a complaint
If you believe processing of your data violates the GDPR, you can lodge a complaint with a supervisory authority. For North Rhine-Westphalia:
Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen
Kavalleriestraße 2–4, 40213 Düsseldorf, Germany
www.ldi.nrw.de
8. Changes to this policy
Last updated: July 2026.